quokka icon indicating copy to clipboard operation
quokka copied to clipboard

Published 20 hours ago verified publisher icon quokkaproject

Cross Site Scripting Vulnerability in Latest Release

Open HatBoy opened this issue 5 years ago • 1 comments

Hi, I would like to report Cross Site Scripting vulnerability in latest release. Description: Cross-site scripting (XSS) vulnerability inquokka/admin/actions.py 90, 151 line, Because there is no filter username. The vulnerability code is: flash(Markup( f'Profile block for {user["username"]} ' f'Created at: ' f'<a href="{newlink}">{new.inserted_id}</a>' ))

Steps To Reproduce: 1.Create a user, username is xss payload, like: 2.Select the username and Create user profile block, then trigger the payload. 1 2

author by [email protected]

HatBoy avatar Mar 21 '19 08:03 HatBoy

this issue fixed on pr https://github.com/rochacbruno/quokka/pull/678

marcosptf avatar Jun 07 '19 14:06 marcosptf